The present invention relates to data security and, more particularly, but not exclusively to a method and apparatus for securing data in a networked environment.
As modern information technology evolves, communication channels become faster and more versatile, enterprise Information Technology (IT) infrastructure becomes more complex, and there arises a need to store and process growing amounts of information.
The growing amounts of information raise the need to secure confidential information used for business or personal purposes.
Threats to the security of an IT infrastructure can be roughly divided into two groups: Intrusions to organizational IT infrastructures, and Information Leakage.
Intrusions to organizational IT infrastructures may include, but are not limited to introduction of Malicious Content (Malware) into the organizational IT infrastructure.
Malicious Content may be classified into several categories: computer viruses—malicious computer programs that replicate themselves, worms—computer programs which quickly spread through a computer network and clog up the network, spyware—deceptive software that installs itself on a computer and allows an outsider to harvest private information, and trojan horses—programs that appear to have some useful or benign purpose but really mask some hidden malicious code.
These threats are commonly addressed by inspecting, blocking or filtering data when entering the organization (using firewalls, anti-viruses, mail filters etc., as known in the art).
The threats may also be addressed by monitoring the processing of incoming data, and blocking operations that attempt to violate security policies (using intrusion detection/prevention systems, anti-spyware, sandboxing etc., as known in the art).
Information Leakage threats are threats which originate from entities within the organization, who convey information to entities that are not authorized to access the information conveyed.
The unauthorized entities may include entities within the organization (say one of the organization's junior employees), entities that are external to the organization (say an employee of a competitor), etc.
The leakage of the information may be deliberate or accidental. The leakage may also be caused by malicious content (such as spyware introduced into the organizational IT infrastructure, as described hereinabove).
Information Leakage is more difficult to recognize as it rarely involves an immediate noticeable damage to the IT infrastructure.
Moreover, confidential data is part of every day operations, and sharing the confidential data within and sometimes out of the organization (with partners, customers, etc) is essential to business, and legitimate behavior or workflow is hard to define.
Existing solutions usually require classification of organizational data and restricting the operations of users when processing confidential data or accessing sensitive sources. However, existing solutions create tradeoffs between protection and usability.
Today, organization's awareness of the need to secure confidential information is augmented by recent legislation and regulations such as the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, NASD 2711, Sarbanes-Oxley Act, and the Basel Capital Accord.
The recent legislation and regulations acknowledge the risk of exposing personal information, and is enforced on organizations that deal with sensitive private information, such as healthcare providers, law enforcement agencies, insurance companies, and financial institutions to protect sensitive private information against theft or leakage.
Current legislation also enforces the use of auditing and forensics tools to enable damage control and tracking down of the information leakage sources.
Currently, several methods are implemented for protecting organizations against information leakage.
Device control—is a method which includes a range of solutions that eliminate the ability of a user to write information to an outgoing data channel such as portable memory devices, communication devices such as modems, bluetooth and wifi devices, CD writers, floppy discs, etc. Device control methods prevent unauthorized transfer of information out of the organizational systems. However device control methods provide no protection against transfer via day-to-day communication channels that are essential to business and cannot be blocked, such as e-mail, web, instant messaging, etc.
Pattern based blocking—a method which analyzes the information that is transported over communication channels, usually uses a gateway or an endpoint filter. Pattern based blocking applies pre-defined patterns (a.k.a. data signatures) to allow or block the transport of information outside the endpoint or the organizational network.
Heuristic behavior analysis—is a method which monitors user and application behavior, and compares the monitored behavior with a set of pre-defined policies and heuristics, that comprise the company's security policy. Actions that violate the security policy of the company are blocked or restricted. An exemplary product which implements the method is SureView™, by Oakley networks Inc.
However, Heuristic behavior analysis has difficulties in defining legitimate behavior of users or applications. Heuristic behavior analysis fails to detect information leaks by sophisticated users or malicious applications that use what seems to be day-to-day communication.
Authentication and content encryption—a method which allows only authorized users to access pre-defined confidential data or sources. The users have to pass identification and authentication process prior to accessing the predefined confidential data.
Encryption is a common method that helps enforcing the authorized access, and prevents unauthorized users from actually reading the data, even if they manage to get the data itself. An example of such a product is SafeGuard™ by Utimaco Safeware AG.
Authentication and content encryption solutions protect against unauthorized use of data by unauthorized or unauthenticated users or machines. But when dealing with intentional information theft, authentication and content encryption solutions fail to prevent an authorized user or a malicious code running on an authorized user's computer, from exploiting its access privileges to leak data, for instance by copying the data to another document that is not encrypted, print the data, etc.
Rights management solutions, as provided by Microsoft may be positioned for instance on top of Windows™ servers, and extended by products such as Liquid Machines™'s document control for Microsoft™ RMS.
Rights management solutions are based on classifying files created by Microsoft™ RMS enabled applications into different confidentiality levels. Each confidentiality level is associated with permissions to certain computers, users, or groups and can restrict viewing, editing, printing, using copy-paste, forward and save. The permissions may be set by the authoring user or according to administrator policy template.
However, rights management solutions protect against unauthorized users or machines, but cannot prevent authorized users from exploiting their access privileges. The permissions are enforced by specific applications. An authorized user may use a different application to bypass usage restrictions.
Some current systems create a classified area or network within the organization, to which only classified computers are connected. The classified area is the only place where confidential data is created, stored, or processed. Some systems use virtual segregation instead of physically segregating between two endpoint computers. The systems implement one or more of the following technologies:
Remote desktop technologies, such as Terminal Services™ and Citrix™, allow a user to access and perform actions on remote environments that are physically or virtually separated from the user's endpoint computer.
By itself, remote desktop technology is not a security system, but it may be used as a platform to create segregation between environments. With the remote desktop technologies, confidential data is held within a network that is accessible only to the servers on which the remote desktop sessions are operating. The user endpoint computer only gets a primitive representation of the information, with no ability to save or distribute the confidential information out of the classified network.
Virtual machine systems, such as Microsoft Virtual PC™ and VMWare™, allow a user to create virtual machines within the user endpoint device. The virtual machine acts as a separated physical computer and may be used as a platform for environment segregation.
To further enhance the protection of confidential data, such solutions enable encryption of the virtual machine storage devices, preventing any access from the endpoint device itself.
Yang Yu from the Computer Science Department of the Stony Brooks University et al, in proceedings of the 4th workshop on Digitals Rights Management, in Washington D.C., on Oct. 25, 2004, described a Display Only File Server (DOFS). Yang Yu's DOFS stores enterprise sensitive files on a protected server and prevents bits of the files from physically leaving the server. However, users can still read or write these files through standard applications such as PDF reader or MS Word.
U.S. Pat. No. 6,922,774, to Meushaw, filed on May 14, 2001, entitled “device for and method of secure computing using virtual machines”, describes the use of virtual machines to create a secured environment, where different virtual machines are created for various levels of confidentiality. Meushaw also describes a secured online communication between the classified environments using encryption to prevent unauthorized access from other environments.
U.S. Pat. No. 6,836,888, to Basu, filed on Mar. 17, 2000, entitled “System for reverse sandboxing” describes the use of a sandbox, which is virtually separated from the endpoint device, thus allowing processing of confidential data within the sandbox, and eliminating the risks that reside within an untrusted endpoint device.
The segregation-based solutions described hereinabove focus on protecting confidential sources that are part of, or accessible from within the confidential environment or machine, blocking unauthorized access from other environments, thus locking all confidential data within a limited environment.
However, the segregation-based solutions described hereinabove do not protect and sometimes do not even allow the transportation of information via platforms that are not part of the secure environment. Examples for such platforms include: storage servers (file systems, database), communication servers (for messaging, e-mail, web access, etc) and even personal devices (say USB portable memory devices).
Furthermore, the methods described hereinabove require a separate set of systems and platforms or well defined regions dedicated for confidential data. The regions have to be well separated and protected from the rest of the network. The regions are limited with respect to using the network's infrastructure and systems.
There is thus a widely recognized need for, and it would be highly advantageous to have, a system devoid of the above limitations.